Session ACLs on RVI

Introduction- As of releases from 7.3.0.0, MAS supported Session ACLs on a user-role only. So this bounded us to untrusted users alone on the switch. Also as of today, all non-user based ACLs are either Ingress or Egress based and are burned into Marvell TCAM.

To exploit the advantages and actions of Session ACLs such as NATting, redirect to a tunnel; bidirectional, dynamic and stateful properties for trusted ports and non-users as well, the application of session ACLs on RVI has been introduced.

Starting 7.4.0.0, trusted/non-users will be able to communicate through Session ACLs on RVI, and are implemented in Software. Also, NAT pools are now supported and the configured NAT pools can be used through Session ACL

Feature Notes- As we know, only traffic with action as

NAT (source/destination/dual NAT)

Redirect through tunnel

Traffic going over an interface vlan which has “session-processing” enabled are software forwarded

Sessions are created only for these traffic. Since this is software-treated, a maximum rate of 40kpps can be expected. All other traffic which make use of Session ACLs but do not have the above stated ‘actions’ under them will be treated in a stateless manner.

The above is applicable for both Session ACLs on RVI and Session ACLs on user-role.